Profile Applicability:
Level 1
Description:
Service account keys, including a key ID and private key, are used to authenticate programmatic requests to Google Cloud services. It is recommended to rotate all user-managed (external) service account keys every 90 days to enhance security.
Rationale:
Rotating service account keys periodically reduces the risk of:
Unauthorized access due to a compromised, stolen, or lost key.
Prolonged exposure of old or vulnerable keys.
Google Cloud Platform (GCP) automatically manages and rotates keys for service-to-service authentication. However, users must manage the rotation of external keys created for use outside of GCP. To facilitate this, GCP supports up to 10 keys per service account, enabling seamless key rotation.
Impact:
Rotating user-managed service account keys can disrupt dependent applications. Applications must be updated manually with the new key ID and corresponding private key to ensure continued functionality.
Default Value:
By default, GCP does not automate the rotation of external (user-managed) service account keys. Key management is the user's responsibility.
Audit Steps:
Using Google Cloud Console:
Navigate to APIs & Services > Credentials at GCP Credentials Console.
Under the Service Account Keys section,Click on credentials. check the creation date of all external (user-managed) service account keys.
Verify that all keys were created within the past 90 days.
Using Google Cloud CLI:
List all service accounts in a project:
gcloud iam service-accounts list
For each service account, list the keys and check their validity:
gcloud iam service-accounts keys list --iam-account <SERVICE_ACCOUNT_EMAIL> --format=json
Ensure that the validAfterTime value for each key is within the past 90 days.
Remediation Steps:
To Remove Old Keys (Using Google Cloud Console):
Navigate to APIs & Services > Credentials at GCP Credentials Console.
Identify keys older than 90 days under the Service Account Keys section.
Delete outdated keys by clicking the Delete (Trash) icon.
To Create New Keys (Using Google Cloud Console):
Go to APIs & Services > Credentials.
Click Create Credentials and select Service Account Key.
Choose the desired service account from the dropdown list.
Select the key type format (JSON or P12) and click Create.
Download the private key and store it securely.
Note the new key ID displayed in the Service Account Keys section.
Using Google Cloud CLI:
Delete Old Keys:
gcloud iam service-accounts keys delete <KEY_ID> --iam-account <SERVICE_ACCOUNT_EMAIL>
Create a New Key:
gcloud iam service-accounts keys create <OUTPUT_FILE_PATH> --iam-account <SERVICE_ACCOUNT_EMAIL>
References:
Additional Information:
Key rotation for user-managed service account keys is entirely the user's responsibility.
Ensure secure handling of downloaded private keys to prevent unauthorized access.